Privacy Notice

Privacy and Cookie Information

This notice explains how the operator of LetsRate.it handles personal data when you visit the public site, send a setup request, submit a review, or use the admin area.

Last updated: April 8, 2026 Controller contact: support@letsrate.it Current notice language: English

This public notice is currently published in English. If you need a copy in another supported site language, please contact support@letsrate.it.

Return to beta landing page Jump to storage details

Configuration still required before production use

This legal notice contains unresolved controller, transfer, or retention placeholders. They are shown explicitly so inaccurate or incomplete wording does not go live by accident.

configure full legal operator name
configure legal form
configure full postal address
state whether hosting, email, and infrastructure providers are inside or outside the EEA
state the international transfer mechanism or confirm that no non-EEA transfer mechanism is needed
define the retention period for setup and demo requests
define the retention period for review submissions
define the retention period for review funnel analytics
define the retention period for inactive admin accounts
define the retention period for security logs
define the rolling retention period for backups
define the retention period for invoices and accounting records

Reviews Low-friction, not identity-free by force

Reviews do not require an account or email address, but free-text comments may contain personal data if the reviewer chooses to enter it.

Role model Separate controllers for review use

LetsRate.it operates the platform and integrity controls as its own controller; the relevant vendor is a separate controller for its own business use of review data.

Storage Limited first-party storage

The current site code uses a session cookie, the rf_device anti-abuse cookie, and limited browser storage for language and admin convenience features.

1. Controller within the meaning of the GDPR

For the public site, setup-request flow, platform operation, billing/support administration, and the controller-side activities described below, the controller is:

Legal entity [TODO: configure full legal operator name]

Legal form [TODO: configure legal form]

Postal address [TODO: configure full postal address]

Email support@letsrate.it

Full provider-identification details should stay aligned with the public Impressum page.

2. Who this notice covers

This notice applies to:

visitors of the public LetsRate.it website and legal pages;
people sending setup, demo, or onboarding requests through the beta landing page;
end users submitting reviews through a QR code or review link;
vendor admins and super admins using the admin area; and
business customers whose billing, invoicing, and support data is handled in the platform.

3. Role allocation between LetsRate.it and vendors

The current notice is written for a separate-controllers model for review data. Under that model:

Public-site visitor data: LetsRate.it acts as controller.
Setup/demo request data: LetsRate.it acts as controller.
Vendor admin accounts, billing, support, and security logs: LetsRate.it acts as controller for its own customer and account-management operations.
Review submission data: LetsRate.it acts as an independent controller for operating the review platform, collecting/storing submissions, enforcing integrity controls, and presenting the data inside the platform.
Vendor use of review data: the relevant vendor acts as a separate controller for its own internal use of received review data, including quality improvement, customer-service follow-up, and business decision-making.

If a privacy request concerns a vendor's own downstream use of review data, LetsRate.it may redirect the requester to the relevant vendor or coordinate with that vendor as appropriate.

If contracts or business processes move to a processor or joint-controller model in future, this notice and the vendor-facing legal documentation must be updated before deployment.

4. Data we collect

Public-site activity: request metadata, security/session data, and form-protection data needed to deliver pages and protect the site.
Setup and onboarding requests: selected plan, company name, contact name, work email address, and submission time. In the current code, these requests are sent to a sales mailbox rather than written into the application database by default.
Review submissions: product or service identifier, rating answers, optional comment, submission timestamp, and optional delivery/order token.
Review-integrity signals: the rf_device device identifier, its server-side hash, hashed coarse network information, daily counters, and minute-based anti-abuse counters.
Review funnel analytics: timestamps showing when a review page is opened, with product and optional delivery identifiers.
Admin account and authentication data: email address, password hash, role, vendor relationship, session issue/revocation timestamps, failed login counters, and lockout information.
Billing and invoicing data: business contact details, billing address, company name, VAT/tax identifiers, invoice records, and invoice status.
Password reset and security audit data: hashed token data, hashed email, hashed IP-related data, hashed user-agent data, event type, event status, and timestamps.

Reviews do not require the reviewer to create an account or provide an email address. However, free-text comments may contain personal data if the reviewer chooses to enter it.

5. Whether you must provide data

Public site: basic technical request data is necessary to deliver pages and protect forms. Without it, the page may not function correctly.
Setup request: the company/contact/email fields marked as required are necessary to process the request. If they are not provided, LetsRate.it may not be able to respond.
Review form: rating answers may be required to submit a review. The comment field is optional. If the anti-abuse storage used by the review flow is blocked, review submission may not work correctly.
Admin area: email, password, session, and security data are necessary to create and operate admin accounts.
Billing and invoicing: billing identity and invoice data are required to provide paid services and issue invoices.

6. Processing activities, purposes, legal bases, and legitimate interests

Processing activity	Data involved	Purpose	Legal basis	Legitimate interests
Public website delivery and security	Request metadata, session data, security logs	Serve pages, protect forms, maintain security	Article 6(1)(f) GDPR	Secure operation of the website, fraud and abuse prevention, internal support and troubleshooting, defense of legal claims
Setup, demo, and onboarding requests	Selected plan, company name, contact name, work email, submission time	Respond to requests and take pre-contractual steps	Article 6(1)(b) GDPR for pre-contractual steps; Article 6(1)(f) GDPR where follow-up and service improvement are needed	Responding to inbound business requests, improving onboarding, internal support and troubleshooting
Review submissions	Product/service identifier, answers, optional comment, timestamp, optional delivery token	Collect and present feedback inside the platform	Article 6(1)(f) GDPR for LetsRate.it as a separate controller for platform operation; the relevant vendor must identify and communicate its own legal basis for its separate-controller use of review data	Operating a private feedback and service-improvement platform, maintaining reliable service-quality analytics, preserving review integrity
Anti-abuse and duplicate-prevention controls	`rf_device`, server-side hash, hashed coarse network data, counters, rate-limit records	Prevent spam, duplicate submissions, manipulation, and misuse	Article 6(1)(f) GDPR	Fraud and abuse prevention, protection against review manipulation, platform security, maintenance of reliable review analytics
Admin accounts and authentication	Email, password hash, role, session timestamps, failed login counters	Provide admin access and secure accounts	Article 6(1)(b) GDPR for contract performance; Article 6(1)(f) GDPR for account security	Account security, secure operation of the platform, defense of legal claims
Billing and invoicing	Business contact details, billing address, VAT/tax ID, invoice records	Provide paid service, issue invoices, and meet accounting/tax obligations	Article 6(1)(b) GDPR and Article 6(1)(c) GDPR	Not applicable where processing is required for contract performance or legal obligation
Password resets and security audit logs	Hashed token data, hashed email, hashed IP-related data, hashed user-agent data, event timestamps	Secure password-reset flow and investigate misuse	Article 6(1)(f) GDPR	Account security, fraud and abuse prevention, internal support and troubleshooting, defense of legal claims
Optional non-essential storage or future analytics	Would depend on the tool actually deployed	Only if such tools are added in future	Consent under Article 6(1)(a) GDPR, where required	Not applicable where consent is used

7. Cookies and similar storage

The current website code does not include third-party advertising cookies or analytics trackers. It does use limited first-party cookies and browser storage for session handling, review integrity, language preference, and admin convenience features.

Name	Storage type	Party	Purpose	Strictly necessary?	Duration
`PHPSESSID` (or the active PHP session cookie name)	Cookie	First-party	Session state, form security, CSRF protection, authenticated admin sessions	Yes, for the current requested website/admin functions	Session only
`rf_device`	Cookie	First-party	Anti-abuse review integrity control used for one-review-per-day enforcement and spam-prevention logic	Yes, for the current review-submission workflow and integrity controls	Up to 2 years
`letsrate_lang`	`localStorage`	First-party	Remembers the landing-page language preference	No, convenience preference only	Until changed or cleared by the user/browser
Admin bulk-selection keys	`sessionStorage`	First-party	Admin-only temporary per-tab selection state in product-management screens	No, convenience feature for the admin interface	Until the tab/session ends

If anti-abuse storage is blocked, review submission may not function correctly. If analytics, marketing pixels, heatmaps, or external embedded tools are added in future, both this notice and any required consent mechanism must be updated before deployment.

8. Automated decision-making and profiling

LetsRate.it does not use solely automated decision-making that produces legal effects or similarly significant effects on individuals. The platform may apply limited automated anti-abuse controls such as temporary duplicate-submission or rate-limit blocks, but these are technical integrity controls intended to prevent spam and misuse rather than decisions with legal or similarly significant effects.

9. Sharing and disclosure

Personal data may be disclosed only to recipients that need it for the role they perform, including:

the relevant vendor or business being reviewed, acting as a separate controller for its own use of review data;
LetsRate.it authorized admins and support staff;
hosting, infrastructure, database, and backup providers;
mail delivery or mailbox providers;
accounting, tax, insurance, payment, and professional-adviser counterparties where needed;
legal, audit, and insurance advisers; and
public authorities where disclosure is legally required.

Service providers process personal data on LetsRate.it's instructions where applicable. Recipients should receive only the data necessary for their role. LetsRate.it does not sell personal data.

10. International transfers

Provider location summary: [TODO: state whether hosting, email, and infrastructure providers are inside or outside the EEA]

If personal data is processed outside the EEA, LetsRate.it currently relies on the following transfer mechanism or safeguard: [TODO: state the international transfer mechanism or confirm that no non-EEA transfer mechanism is needed].

You can request a copy or summary of the relevant safeguards by contacting support@letsrate.it.

11. Retention

PHP session cookie: session only.
rf_device: up to 2 years unless deleted earlier in the browser.
Password-reset token validity: 30 minutes.
Used password-reset tokens: 7 days.
Expired password-reset tokens: 2 days.
Password-reset audit logs: 90 days.
Setup and demo requests: [TODO: define the retention period for setup and demo requests]
Review submissions: [TODO: define the retention period for review submissions]
Review funnel analytics: [TODO: define the retention period for review funnel analytics]
Inactive admin accounts: [TODO: define the retention period for inactive admin accounts]
Security logs: [TODO: define the retention period for security logs]
Billing and invoice records: [TODO: define the retention period for invoices and accounting records]
Backups: [TODO: define the rolling retention period for backups]

12. Your rights

Depending on the law that applies to you, you may have the right to:

access personal data held about you;
rectify inaccurate or incomplete personal data;
erase personal data, where the legal requirements are met;
restrict processing, where the legal requirements are met;
object to processing based on legitimate interests;
data portability, where applicable;
withdraw consent at any time, where processing is based on consent; and
lodge a complaint with a supervisory authority.

To submit a request, contact support@letsrate.it and include enough detail for LetsRate.it to identify the relevant data, such as the contact email used, the product or vendor concerned, the approximate review or request date, and any other identifiers that help locate the record.

Identity verification may be required before a request is completed. Where a request concerns vendor-controlled downstream use of review data, LetsRate.it may redirect the requester to the relevant vendor or coordinate with that vendor.

13. Changes to this notice

LetsRate.it may update this page when legal requirements, provider setup, cookies/storage items, review workflows, billing tooling, or role allocation change. The newest version will be published here with an updated revision date.